Cyber-criminals are making money with intellectual-property theft, stealing trade secrets, marketing plans, research results and source code, according to a McAfee report.

Cyber-criminals are
increasingly targeting intellectual property and trade secrets, according to a
new research report from McAfee.
Cyber-criminals are making
money stealing trade secrets, marketing plans, research and development findings,
and even source code, according to a report released March 28 by McAfee. As
attacks on intellectual property increase, organizations are also less willing
to publicize or thoroughly investigate the incident, the report found.

Hacking into corporate networks
and stealing information is proving easier and more lucrative, said Chris
Drake, CEO of Firehost.

"Cyber-criminals have
shifted their focus from physical assets to data-driven properties, such as
trade secrets or product-planning documents," said Simon Hunt, vice
president and chief technology officer, endpoint security at McAfee.
The report is quite timely,
considering the recent attack against RSA, which resulted in the compromise of
sensitive data related to the company's SecurID
two-factor authentication technology. Many corporations in both the private
and public sectors rely on the technology to guard their systems, and after the
RSA breach, many are wondering if they will be targeted next.
More than half of
organizations decided at one point or another not to investigate further a
breach because of the cost of the investigation, the report found. Small
incidents are often investigated internally instead of getting a third-party
expert, which increases the chances that the breached organization won't
properly close security holes or sufficiently beef up the defenses, the
researchers noted in the report. Future penetration is possible if the threat persists,
and in the case of an inside attack, the responsible party is not stopped, the
report found.
Recent attacks such as Operation
Aurora and Night Dragon have shown that some of the largest and "seemingly
most protected" corporations are vulnerable, according to Hunt. "Criminals are
targeting corporate intellectual capital and they are often succeeding,"
he said.
Botnet and malware-driven
attacks looking for sensitive personal information, such as names, addresses,
birth dates, and financial details, will continue, but corporate espionage is
gaining currency among the cyber-criminal underground, according to the report.
The number of states with
breach-notification laws mandating that financial and health care organizations
publicize when customer information is compromised means it's harder for
miscreants to fly under the radar, the report said. On the other hand, if
marketing plans or technical specifications are stolen and sold to a
competitor, companies are generally likely to keep the incident quiet.
Intellectual-property theft
and data breaches are not publicized because businesses are concerned that
admitting to a vulnerability could attract unwanted attention from other
attackers, the report found. About half the organizations studied also were
concerned about their reputations, as publicizing the incident could damage their
brand reputation and have an impact on shareholder value, the report found.
"Today, a public company can
lose a top-secret recipe, a go-to-market plan or other key secret, and they are
reluctant to report it, given the potential backlash from customers,
shareholders and the market," the researchers wrote.
Approximately 60 percent of
surveyed organizations said they "pick and choose" which breaches to report,
"depending on how they feel about them," according to the report. Only 30
percent reported all data breaches and losses related to intellectual property
to government agencies, stockholders and law enforcement. About 10 percent
claimed to report breaches and losses only when legally required to do so,
according to the survey.
Leaked emails showed a
number of companies, including Morgan
Stanley and Walt Disney, had chosen not to publicize having been attacked
in 2010.
Even though it's not always
possible to trace the source of attacks because of IP address spoofing and
other techniques, respondents considered China, Russia and Pakistan as the
least-safe countries to do business with, according to the survey. The United
States, United Kingdom and Germany were considered the safest.
The report, entitled
"Underground Economies: Intellectual Capital and Sensitive Corporate Data Now
the Latest Cybercrime Currency," surveyed 1,000 technology managers in the
United States, the United Kingdom, Japan, China, India, Brazil and the Middle East.